Insecure Content Security Policy

  • 11 August 2022
  • 2 replies
  • 1021 views

Userlevel 1
Badge +1

We received a penetration testing result from a customer that our Content Security Policy (CSP) is insecure because we use ‘unsafe-inline’ and ‘unsafe-eval’ without nonces.  We have this due to the  requirement from Heap https://developers.heap.io/docs/web#content-security-policy-csp, but I’d like to know why?  Is there anyway to get Heap to work without these source list values?


2 replies

Userlevel 1
Badge +1

I submitted a support ticket for this and received a response.  I’m posting it here for those interested.
 

We're actively investigating ways to make this option more secure, but we're not able to directly provide a nonce-based solution at this time. However, it is possible to implement a hash- or nonce-based solution on your end. The hash-based solution is the more straight-forward option, as it simply requires sending a hash of the Heap install snippet as part of your CSP. This ensures that the Heap snippet specifically can be run without enabling other inline code generally by requiring unsafe-inline. (Please note that each environment within your project will require its own hash, as an environment-specific ID is included in each envrionment's Heap install snippet.) Please note that responsibility for implementing and maintaining a nonce or hash solution does fall on your development team.
 
It's also worth reviewing that at present, there are two main components to our Content Security Policy, unsafe-inline and unsafe-eval. While unsafe-inline (or a nonce or hash solution) is currently required for heap.js to capture data, unsafe-eval can be removed if you don't mind losing access to snapshots and the Event Visualizer. One option this allows for is disabling unsafe-eval on the production site, but enabling it for a development version of the site that contains no sensitive data. This will allow definition of events on the development site in the Event Visualizer, and since defined events are shared between environments within a project, those events will be available for reporting in the production environment as well.

Badge

We’re experiencing the same problem, but we’re not able to develop the solution proposed in this paragraph.

However, it is possible to implement a hash- or nonce-based solution on your end. The hash-based solution is the more straight-forward option, as it simply requires sending a hash of the Heap install snippet as part of your CSP.

Our sites are statically generated and hash could change each time Heap team decides to update their site/Visual labeling feature and nonce could be a solution, but from us is a major refactor of the application. Additionally we’re forbidden to set unsafe-inline, because of security concerns. Any update on this topic?

Reply